What hacking taught journalists about cybersecurity

By Hannah Yasharoff

September 7, 2016

Share

Hannah Yasharoff is a student at the University of Maryland’s Philip Merrill College of Journalism. She participated in a cybersecurity workshop at the college that was supported by the Hewlett Foundation.

With the help of a hacker, reporters and editors inside a computer lab at the University of Maryland this summer witnessed for themselves just how easy it is to break into an insecure website.

By deleting one backslash from a line of code and replacing it with two other characters, participants in a “Cybersecurity for Journalists” workshop were able to remove each other’s posts, see each other’s passwords and ultimately, upload a file to destroy a website altogether.

“Do not do this outside this classroom,” admonished Craig Stevenson, the lead instructor of the Cyber Exploitation Unit of Raytheon Solipsys.

The workshop, funded by the Hewlett Foundation’s Cyber Initiative and co-hosted by the University of Maryland’s journalism school and the American Society of Newspaper Editors, drew 35 journalists from around the country. It was designed to give journalists first-hand experience of critical — but often little understood — cybersecurity issues, as well as giving them a chance to develop sources and come up with story ideas.

Washington Post reporter Dana Priest, the conference organizer and the Knight Chair in Public Affairs Journalism at the school, spoke about the importance of developing cybersecurity reporting skills: “There are many, many obstacles set in your way… but the American people— even though they keep saying how much they hate you— the American people depend on you to tell them what is happening.”

The hacking exercise “took the mystery out of it,” said Kimberly Pierceall, a business reporter at the Virginian Pilot who says she writes often about cyberattacks but had never seen one from the inside. “It was nice to do it ourselves… It isn’t magic, it’s knowing some semblance of coding.”

Michel Cukier, associate director of UMD’s undergraduate cybersecurity honors program, explained that when the internet was created, no one worried about security. Only decades later are governments, businesses, free speech proponents and policymakers trying to retrofit changes onto what has become an unparalleled global cyber infrastructure.

“It’s like you figured out how to design and build the first car and someone then asked you to turn the car into a boat,” he said. “And then turn the boat into a plane.”

Michael Hamilton, the former Chief Information Officer of Seattle and currently CEO of Critical Informatics, gave reporters a rapid-fire briefing on the vulnerability of local governments’ critical infrastructure, 85 percent of which, he said, is owned by industry.

To find sources, Hamilton suggested that reporters visit industry trade shows and hacking conferences, begin relationships with local FBI offices responsible for investigating larger breaches, and get to know leaders at cyber security firms, cyber fusion centers, and the cyber units at the state National Guard.

While understanding journalists’ fondness for the Freedom of Information Act, which allows reporters and the public to file requests to obtain public documents, he lamented what he called “public disclosure trolls,” individuals who file hundreds of FOIA requests as a hobby. These requests clog up resource-strained cities and state government bureaucracies.

Hamilton urged journalists to find a way to limit what he described as “nuisance filings.”

Stanford University cyber scholar Herb Lin walked through the many unanswered questions about cyber warfare. The first and most important question is attribution — who attacked whom?

But attribution is just the beginning, he said. What were the motives of the attacker? Was miscommunication a factor? What will be the intended and unintended consequences of responding militarily to a state-sponsored attack? Can the consequences be contained? What are the different levels of appropriate response?

Lin and others also lamented the lack of knowledge on the part of policymakers. “Technology leads policy by a lot,” he said. “At the federal level, there are maybe two people in Congress who understand this technology… law enforcement doesn’t really understand their role yet.”

Ellen Nakashima, one of the nation’s top cyber reporters and part of the Washington Post team that produced a Pulitzer Prize series based on documents leaked by Edward Snowden, urged reporters to develop sources by cultivating cyber experts in academia who can go in and out of government. “Formers, formers, formers,” she said, referring to former government employees who are more free to speak to journalists after leaving government positions.

Both of them recommended attending hacker conferences such as Defcon, Black Hat, ShmooCon, and DerbyCon. Hackers, Lin said, love to brag and share their accomplishments.

Two presentations offered reporters examples for turning the complexities of cybersecurity into effective storytelling. Bruce Auster, a senior editor at NPR, walked participants through the production of a story dubbed “Project Eavesdrop,” meant to show listeners how much personal data their cell phones and computers send out without their knowledge.

NPR hacked into reporter Steven Henn’s home office, with his knowledge and permission. Even though Henn believed he had set up good security measures, basic skill-level hacking was able to access his Google search data, locations visited, email addresses and telephone numbers through always open, data-trolling apps.

“Your phone is a promiscuous device,” explained Auster. “We’re willing to make a deal with the devil for the convenience of the society that we’re living in.”

Also presenting was visual artist Hasan Elahi, who recently was awarded a Guggenheim Fellowship for his surveillance-themed art projects. The project began shortly after the terrorist attacks of 9/11 when he was mistakenly added to the U.S. government’s watch list and spent six months being questioned by the FBI.

The FBI agent assigned to his case told him the best way to avoid questioning was to share his whereabouts with him. Elahi took the instruction literally and began an open-ended art project in which he revealed every aspect of his life to the agent, from the food he was in the process of eating, to bathroom toilets he visited.

Elahi photographed and uploaded plane tickets, road signs and everyday shopping trips. He has posted thousands upon thousands of images to his webpage for his agent and anyone else to see.

The result? “All my data is out there,” he said.

In the world we live in, cyber threats are more prominent than ever. The Internet has forced reporters to reinvent the way news is produced and shared. It’s also making them realize that understanding cybersecurity – a topic that still puzzles even top government officials – is increasingly important on a whole host of beats around the newsroom, from health care and business to national security and now, even domestic politics.

“I know some stuff just because I’m a computer nerd,” said Matt Dempsey, data reporter for the Houston Chronicle. “This cyber workshop has been a lot of information to take in, but it’s been helpful, really helpful.”